Fix dnscrypt-proxy socket restart and remove problematic BPF hardening

Two important fixes: 1. Fix dnscrypt-proxy socket not restarting with new configuration - The socket wasn't properly restarting when its override config changed - This caused DNS to listen on wrong IP (127.0.2.1 instead of local_service_ip) - Now directly restart the socket when configuration changes - Add explicit daemon reload before restarting 2. Remove BPF JIT hardening that causes deployment errors - The net.core.bpf_jit_enable sysctl isn't available on all kernels - It was causing "Invalid argument" errors during deployment - This was optional security hardening with minimal benefit - Removing it eliminates deployment errors for most users These fixes ensure reliable DNS resolution for VPN clients and clean deployments without error messages. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-03 10:33:13 +02:00 · 2025-08-17 21:47:28 -04:00 · 2025-08-17 21:47:28 -04:00 · 30fb6e6c12
commit 30fb6e6c12
parent c2ae4fa6d6
2 changed files with 9 additions and 21 deletions
--- a/roles/dns/tasks/ubuntu.yml
+++ b/roles/dns/tasks/ubuntu.yml
@ -82,8 +82,15 @@
    - restart dnscrypt-proxy.socket
    - restart dnscrypt-proxy

- name: Ubuntu | Flush handlers to restart socket if needed
-  meta: flush_handlers
+- name: Ubuntu | Reload systemd daemon after socket configuration
+  systemd:
+    daemon_reload: true
+  when: socket_override.changed
+
+- name: Ubuntu | Restart dnscrypt-proxy socket to apply configuration
+  systemd:
+    name: dnscrypt-proxy.socket
+    state: restarted
  when: socket_override.changed

 - name: Ubuntu | Add custom requirements to successfully start the unit
--- a/roles/privacy/tasks/advanced_privacy.yml
+++ b/roles/privacy/tasks/advanced_privacy.yml
@ -12,15 +12,6 @@
    - { name: 'kernel.dmesg_restrict', value: '1' }
  when: privacy_advanced.reduce_kernel_verbosity | bool

- name: Disable BPF JIT if available (optional security hardening)
-  sysctl:
-    name: net.core.bpf_jit_enable
-    value: '0'
-    state: present
-    reload: yes
-  when: privacy_advanced.reduce_kernel_verbosity | bool
-  ignore_errors: yes
-
 - name: Configure kernel parameters for privacy
  lineinfile:
    path: /etc/sysctl.d/99-privacy.conf
@ -31,18 +22,8 @@
    - "# Privacy enhancements - reduce kernel logging"
    - "kernel.printk = 3 4 1 3"
    - "kernel.dmesg_restrict = 1"
-    - "# Note: net.core.bpf_jit_enable may not be available on all kernels"
  when: privacy_advanced.reduce_kernel_verbosity | bool

- name: Add BPF JIT disable to sysctl config if kernel supports it
-  lineinfile:
-    path: /etc/sysctl.d/99-privacy.conf
-    line: "net.core.bpf_jit_enable = 0  # Disable BPF JIT to reduce attack surface"
-    create: yes
-    mode: '0644'
-  when: privacy_advanced.reduce_kernel_verbosity | bool
-  ignore_errors: yes
-
 - name: Configure journal settings for privacy
  lineinfile:
    path: /etc/systemd/journald.conf